On September 21, 2021, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) announced several actions focused on disrupting criminal digital finance infrastructure, including virtual currency exchanges, responsible for laundering cyberattack ransoms, and encouraging incident and ransomware payment reporting to U.S. authorities. OFAC issued an updated advisory on potential sanctions risks associated with facilitating ransomware payments (the “Advisory”). OFAC also added Russia-based cryptocurrency exchange Suex.io to its Specially Designated Nationals and Blocked Persons List (the “SDN List”). This is the first cryptocurrency exchange to be added to the SDN List. Treasury’s actions aim to advance the U.S. government’s broader counter-ransomware strategy. Below we discuss several practical sanctions risk mitigation strategies for companies in light of OFAC’s recent actions.
OFAC Updated Ransomware Advisory
The Advisory highlights the sanctions risks associated with making and facilitating ransomware payments in the cyber context. The Advisory updates and supersedes OFAC’s prior advisory on the same topic issued on October 1, 2020. Persons determined to facilitate ransomware payments may violate OFAC regulations if the payments involve, directly or indirectly, targets of U.S. sanctions. U.S. persons are generally forbidden to engage, directly or indirectly, in transactions involving sanctions targets, including SDNs and other blocked persons, and their 50%-or-more owned affiliates, as well as persons located, organized or residing in comprehensively sanctioned jurisdictions. Non-U.S. persons are prohibited from causing a U.S. person to violate any sanctions authorized by the International Emergency Economic Powers Act, as amended. U.S. persons, wherever located, are also generally prohibited from facilitating non-U.S. persons’ actions that could not be directly performed by U.S. persons due to U.S. sanctions regulations.
The Advisory emphasizes that OFAC continues to strongly discourage payment of ransom in connection with cyberattacks and that it will continue to impose sanctions on persons who materially assist, sponsor, or provide financial, material, or technological support for ransomware activities. The U.S. Department of Justice may also bring criminal charges in connection with ransomware schemes. As noted in the Advisory and the 2020 advisory, OFAC will review license applications involving ransomware payments resulting from cyberattacks on a case-by-case basis with a presumption of denial.
Most notably, the Advisory includes steps companies can take to mitigate the sanctions enforcement risks associated with ransomware payments. It specifies that OFAC will consider the following actions by a company to be mitigating factors in any OFAC enforcement action:
- Adopting or improving cybersecurity practices to reduce the risk of cyber extortion;
- Self-initiated, timely, and complete reporting of ransomware attacks to the U.S. government (which OFAC will also consider a voluntary self-disclosure); and
- Cooperation with OFAC, law enforcement, and other relevant agencies.
In addition, the Advisory emphasizes the importance of a risk-based sanctions compliance program. In particular, companies that engage with victims of ransomware – including those that provide cyber insurance, digital forensics and incident responses, and financial services that may involve processing ransom payments – should account in their policies for the risk that a ransomware payment may involve a sanctions target.
Designation of Digital Currency Exchange for Complicit Financial Services
For the first time, OFAC designated a virtual currency exchange, Suex OTC, S.R.O. (a.k.a. “Successful Exchange,” “Suex”) for facilitating financial transactions for ransomware actors (involving illicit proceeds from at least eight ransomware variants). Suex was designated pursuant to Executive Order 13,694 of April 1, 2015, “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities.” As a result of the designation, all of Suex’s property and interests in property subject to U.S. jurisdiction are blocked. According to the U.S. government’s analysis, more than 40 percent of the known transactions on Suex were associated with illicit actors. OFAC also added a number of Bitcoin, Ether, and Tether digital wallets addresses associated with Suex to the SDN List.
Practical Sanctions Risk Mitigation Strategies
- Be proactive. The government recommends focusing on strengthening technical defensive and resilience measures to prevent and protect against ransomware attacks. Specifically, OFAC recommends measures including “maintaining offline backups of data, developing incident response plans, instituting cybersecurity training, regularly updating antivirus and anti-malware software, and employing authentication protocols, among others.”
- Contact U.S. authorities. When a company is a victim of a cyberattack and related ransom demand that may have a sanctions nexus, the single most important action a company can take to mitigate its sanctions risk is to notify U.S. authorities, including law enforcement, OFAC and, as appropriate, the Cybersecurity and Infrastructure Security Agency or the Treasury’s Office of Cybersecurity and Critical Infrastructure Protection as soon as possible, providing as many details as possible.
- Conduct due diligence before making any ransomware payments. While the U.S. government strongly discourages companies facing ransomware demands to pay the ransom, sometimes a victim believes it has no choice but to pay to avoid losing its data or having it exposed. The latest Treasury actions make clear the importance of thorough counterparty due diligence and screening in connection with making any ransomware payments, in order to limit the victim’s potential sanctions exposure. A company contemplating using a ransom negotiator must understand the negotiator’s processes for investigating the potential sanctions connections of the illicit actor seeking the ransom. For example, does the negotiator conduct forensic analysis by analyzing the digital footprint of the threat actor, including the cryptocurrency wallet address to which the funds are being sent? Additionally, the victim should obtain evidence of the ransom negotiator’s diligence processes and conclusion that, to the best of the negotiator’s knowledge after investigation, the party demanding the ransom is not a sanctioned party.
- Virtual currency exchanges must implement effective anti-money laundering programs. OFAC’s designation of Suex demonstrates the sanctions risks for virtual currency exchanges of failing to take adequate measures to prevent the use of the exchange by illicit actors to launder their cyberattack ransoms.
 Ransomware is a form of malicious software (“malware”) designed to block access to a computer system or data, often by encrypting data or information technology systems to extort payments from victims in exchange for a decryption key to restore victims’ access to their systems or data. Where the victim’s data is also exfiltrated, the illicit actors generally promise to delete the exfiltrated data in exchange for payment of the ransom.
 For example, in 2019, when OFAC designated Maksim Yakubets and Igor Turashev for development and distribution of malware, the United States (through the Departments of Justice and State) and the UK also charged them in connection with a decade-long cybercrime scheme. In 2021, the U.S. Department of Justice charged three North Korean programmers with participating in a criminal conspiracy involving cyberattacks, extortion of money and cryptocurrency, malware applications, and a fraudulent blockchain platform. OFAC previously designated one of the individuals under its North Korea-related sanction program in 2018.
 OFAC has previously blocked numerous cyber actors under its cyber-related sanctions program and other sanctions programs, including perpetrators of ransomware attacks and those who facilitate ransomware transactions. For example, in 2016, OFAC designated Evgeniy Mikhailovich Bogachev, developer of a ransomware variant known as Cryptolocker, and in 2018, OFAC designated two Iran-based financial facilitators of malicious cyber activity relating to SamSam ransomware.